我正在尝试连接一个 SQL 查询字符串和一个应该大写的十六进制字符串。hURL -X -s
接受一个字符串或文件并将其转换为十六进制。
cmd = "/root/Desktop/pentest/tools/hURL/hURL -X -s " +
md5_got.chomp.delete("\n").to_s
md5_tohex = `#{cmd}`
md5_where = md5_tohex.chomp.delete("\n").to_s
此时,md5_where
是:
1b5b316d34303339613365663766633739653461646236306234336163313038643634381b5b306d
我需要这个十六进制大写。我在所有排列中都做了这两个,包括省略to_s
和!
:
md5_where.upcase!
md5_where.to_s!
我尝试结合我的查询和我的十六进制值:
sql_comp = "SELECT word FROM captcha_rbow WHERE hex(md5) = " + md5_where
puts sql_comp
puts '###
abort()
这就是我得到的:
1B5B316D653...B306D
前导空格等于 SQL 查询的长度和屏幕上打印的 upstring 变量,没有 SQL 查询的痕迹
如果我接受md5_where
,我会得到这个,这应该是:
SELECT word FROM captcha_rbow WHERE hex(md5) =
为什么这会破坏文本?这是完整的脚本需要'open-uri'需要'sqlite3'
open('GOT_captcha.png', 'wb') do |file|
file << open('http://192.168.56.101/captcha/example5/captcha.png').read
end
cmd = "/root/Desktop/pentest/tools/hURL/hURL -m -s -f GOT_captcha.png"
md5orig = `#{cmd}`
cmd = "/root/Desktop/pentest/tools/hURL/hURL -X -s " + md5orig.chomp.delete("\n").to_s
puts cmd
md5_tohex = `#{cmd}`
md5_where = md5_tohex.to_s
puts md5_where
sql_comp = "SELECT word FROM captcha_rbow WHERE (hex(md5)) = " + md5_where.upcase
puts sql_comp
#THIS IS WHERE THE PROBLEM IS
begin
db = SQLite3::Database.open( "akad_web2" )
sql_comp = "SELECT word FROM captcha_rbow WHERE hex(md5) = '" + md5_where.upcase + "';"
puts sql_comp
stm = db.prepare sql_comp
rs = stm.execute
row = rs.next
puts row.to_s
rescue SQLite3::Exception => e
puts "Exception occurred"
puts e
ensure
stm.close if stm
db.close if db
end
abort()
注意 - 输入是一个图像文件(通过 RMagick 生成的验证码,带有一组已知的可能字符串),用于生成 MD5 彩虹表。
这是输出:
/root/Desktop/pentest/tools/hURL/hURL -X -s 4039a3ef7fc79e4adb60b43ac108d648
1b5b316d34303339613365663766633739653461646236306234336163313038643634381b5b306d
1B5B316D34303339613365663766633739653461646236306234336163313038643634381B5B306D
1B5B316D34303339613365663766633739653461646236306234336163313038643634381B5B306D';
root@kali:~/Desktop/Akademy_webpentest_2#